Brice Augras

**Name of the Vulnerable Software and Affected Versions** IBM FlashSystem 900 versions 1.5.2.8 and prior IBM FlashSystem 900 versions 1.6.1.2 and prior **Description** The issue concerns stored cross-site scripting in the user management GUI, allowing users to embed arbitrary JavaScript code in the Web UI. This could alter the intended functionality, potentially leading to credentials disclosure within a trusted session. **Recommendations** For versions 1.5.2.8 and prior, update to a version later than 1.5.2.8 to resolve the issue. For versions 1.6.1.2 and prior, update to a version later than 1.6.1.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kubernetes versions prior to 1.15.12 Kubernetes versions prior to 1.16.9 Kubernetes versions prior to 1.17.5 Kubernetes versions 1.0 through 1.14 Kubernetes version 1.18.0 **Description** The issue allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network, such as link-local or loopback services, due to a Server Side Request Forgery (SSRF) in the Kubernetes kube-controller-manager. An attacker with permission to create Pods with a specific type of Volume or permission to create StorageClass can force the kube-controller-manager to make GET or POST requests from the master host network to a user-provided unverified URL. It is reported that authentication data does not leak, but the leaked data may contain something interesting. **Recommendations** For versions prior to 1.15.12, update to version 1.15.12 or later. For versions prior to 1.16.9, update to version 1.16.9 or later. For versions prior to 1.17.5, update to version 1.17.5 or later. For versions 1.0 through 1.14, update to a version outside of this range. For version 1.18.0, update to a version later than 1.18.0. As a temporary workaround, consider restricting access to the `kube-controller-manager` to minimize the risk of exploitation.